summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--etc/ipf.rules9
-rw-r--r--etc/netstart12
-rw-r--r--etc/rc4
-rw-r--r--share/ipf/Makefile13
-rw-r--r--share/ipf/example.14
-rw-r--r--share/ipf/example.1012
-rw-r--r--share/ipf/example.1126
-rw-r--r--share/ipf/example.1217
-rw-r--r--share/ipf/example.1361
-rw-r--r--share/ipf/example.1410
-rw-r--r--share/ipf/example.24
-rw-r--r--share/ipf/example.340
-rw-r--r--share/ipf/example.44
-rw-r--r--share/ipf/example.525
-rw-r--r--share/ipf/example.65
-rw-r--r--share/ipf/example.712
-rw-r--r--share/ipf/example.810
-rw-r--r--share/ipf/example.912
18 files changed, 280 insertions, 0 deletions
diff --git a/etc/ipf.rules b/etc/ipf.rules
new file mode 100644
index 00000000000..24ed030709a
--- /dev/null
+++ b/etc/ipf.rules
@@ -0,0 +1,9 @@
+#
+# IP filtering rules. See the ipf(5) man page for more
+# information on the format of this file, and /usr/share/ipf
+# for example configuration files.
+#
+# Pass all packets by default.
+#
+pass in from any to any
+pass out from any to any
diff --git a/etc/netstart b/etc/netstart
index f27081374ff..083167f053f 100644
--- a/etc/netstart
+++ b/etc/netstart
@@ -20,12 +20,15 @@ nfs_client=NO
gated=NO
kerberos_server=NO
amd=NO
+ipfilter=NO
# miscellaneous other flags
# only used if the appropriate server is marked YES above
gated_flags=
amd_dir=/amd # AMD's mount directory
amd_master=/etc/amd/master # AMD 'master' map
+ipfilter_rules=/etc/ipf.rules # Rules for IP packet filtering
+ipmon_flags=-s # To disable logging, use ipmon_flags=NO
# /etc/myname contains my symbolic name
#
@@ -35,6 +38,15 @@ if [ -f /etc/defaultdomain ]; then
domainname `cat /etc/defaultdomain`
fi
+# Configure the IP filter before configuring network interfaces
+#
+if [ X"${ipfilter}" = X"YES" -a -f "${ipfilter_rules}" ]; then
+ echo 'configuring IP filter'
+ ipf -Fa -f ${ipfilter_rules} -E
+else
+ ipfilter=NO
+fi
+
# configure all of the interfaces which we know about.
# do this by reading /etc/hostname.* files, where * is the name
# of a given interface.
diff --git a/etc/rc b/etc/rc
index 63a738585fa..ad7e7b51611 100644
--- a/etc/rc
+++ b/etc/rc
@@ -80,6 +80,10 @@ echo 'starting network'
mount /usr >/dev/null 2>&1
mount /var >/dev/null 2>&1
+if [ X"${ipfilter}" = X"YES" -a X"${ipmon_flags}" != X"NO" ]; then
+ ipmon ${ipmon_flags} &
+fi
+
# clean up left-over files
rm -f /etc/nologin
rm -f /var/spool/lock/LCK.*
diff --git a/share/ipf/Makefile b/share/ipf/Makefile
new file mode 100644
index 00000000000..5d009fff9c1
--- /dev/null
+++ b/share/ipf/Makefile
@@ -0,0 +1,13 @@
+#
+# $Id: Makefile,v 1.1 1996/01/09 09:29:32 dm Exp $
+#
+FILES= example.*
+NOOBJ= noobj
+
+all clean cleandir depend lint tags:
+
+install:
+ install -d ${DESTDIR}${BINDIR}/ipf
+ install -c -m 0444 ${FILES} ${DESTDIR}${BINDIR}/ipf
+
+.include <bsd.prog.mk>
diff --git a/share/ipf/example.1 b/share/ipf/example.1
new file mode 100644
index 00000000000..604346e13db
--- /dev/null
+++ b/share/ipf/example.1
@@ -0,0 +1,4 @@
+#
+# block all incoming TCP packets on le0 from host "foo" to any destination.
+#
+block in on le0 proto tcp from foo/32 to any
diff --git a/share/ipf/example.10 b/share/ipf/example.10
new file mode 100644
index 00000000000..477c2e071a0
--- /dev/null
+++ b/share/ipf/example.10
@@ -0,0 +1,12 @@
+#
+# pass ack packets (ie established connection)
+#
+pass in proto tcp 10.1.0.0/16 port = 23 10.2.0.0/16 flags A/A
+pass out proto tcp 10.1.0.0/16 port = 23 10.2.0.0/16 flags A/A
+#
+# block incoming connection requests to my internal network from the big bad
+# internet.
+#
+block in on le0 proto tcp from any to 10.1.0.0/16 flags S/SA
+# to block the replies:
+block out on le0 proto tcp from 10.1.0.0 to any flags SA/SA
diff --git a/share/ipf/example.11 b/share/ipf/example.11
new file mode 100644
index 00000000000..7fc26ebdca3
--- /dev/null
+++ b/share/ipf/example.11
@@ -0,0 +1,26 @@
+#
+# allow any TCP packets from the same subnet as foo is on through to host
+# 10.1.1.2 if they are destined for port 6667.
+#
+pass in proto tcp from fubar/24 to 10.1.1.2/32 port = 6667
+#
+# allow in UDP packets which are NOT from port 53 and are destined for
+# localhost
+#
+pass in proto udp from fubar port != 53 to localhost
+#
+# block anything trying to get to X terminal ports, X:0 to X:9
+#
+block in proto tcp from any to any port 5999 >< 6010
+#
+# allow any connections to be made, except to BSD print/r-services
+# this will also protect syslog.
+#
+block in proto tcp/udp all
+pass in proto tcp/udp from any to any port 512 <> 515
+#
+# allow any connections to be made, except to BSD print/r-services
+# this will also protect syslog.
+#
+pass in proto tcp/udp all
+block in proto tcp/udp from any to any port 511 >< 516
diff --git a/share/ipf/example.12 b/share/ipf/example.12
new file mode 100644
index 00000000000..c0ba1d3cdda
--- /dev/null
+++ b/share/ipf/example.12
@@ -0,0 +1,17 @@
+#
+# get rid of all short IP fragments (too small for valid comparison)
+#
+block in proto tcp all with short
+#
+# drop and log any IP packets with options set in them.
+#
+block in log all with ipopts
+#
+# log packets with BOTH ssrr and lsrr set
+#
+log in all with opt lsrr,ssrr
+#
+# drop any source routing options
+#
+block in quick all with opt lsrr
+block in quick all with opt ssrr
diff --git a/share/ipf/example.13 b/share/ipf/example.13
new file mode 100644
index 00000000000..c4c1994030b
--- /dev/null
+++ b/share/ipf/example.13
@@ -0,0 +1,61 @@
+#
+# log all inbound packet on le0 which has IP options present
+#
+log in on le0 from any to any with ipopts
+#
+# block any inbound packets on le0 which are fragmented and "too short" to
+# do any meaningful comparison on. This actually only applies to TCP
+# packets which can be missing the flags/ports (depending on which part
+# of the fragment you see).
+#
+block in log quick on le0 from any to any with short frag
+#
+# log all inbound TCP packets with the SYN flag (only) set
+# (NOTE: if it were an inbound TCP packet with the SYN flag set and it
+# had IP options present, this rule and the above would cause it
+# to be logged twice).
+#
+log in on le0 proto tcp from any to any flags S/SA
+#
+# block and log any inbound ICMP unreachables
+#
+block in log on le0 proto icmp from any to any icmp-type unreach
+#
+# block and log any inbound UDP packets on le0 which are going to port 2049
+# (the NFS port).
+#
+block in log on le0 proto udp from any to any port = 2049
+#
+# quickly allow any packets to/from a particular pair of hosts
+#
+pass in quick from any to 10.1.3.2/32
+pass in quick from any to 10.1.0.13/32
+pass in quick from 10.1.3.2/32 to any
+pass in quick from 10.1.0.13/32 to any
+#
+# block (and stop matching) any packet with IP options present.
+#
+block in quick on le0 from any to any with ipopts
+#
+# allow any packet through
+#
+pass in from any to any
+#
+# block any inbound UDP packets destined for these subnets.
+#
+block in on le0 proto udp from any to 10.1.3.0/24
+block in on le0 proto udp from any to 10.1.1.0/24
+block in on le0 proto udp from any to 10.1.2.0/24
+#
+# block any inbound TCP packets with only the SYN flag set that are
+# destined for these subnets.
+#
+block in on le0 proto tcp from any to 10.1.3.0/24 flags S/SA
+block in on le0 proto tcp from any to 10.1.2.0/24 flags S/SA
+block in on le0 proto tcp from any to 10.1.1.0/24 flags S/SA
+#
+# block any inbound ICMP packets destined for these subnets.
+#
+block in on le0 proto icmp from any to 10.1.3.0/24
+block in on le0 proto icmp from any to 10.1.1.0/24
+block in on le0 proto icmp from any to 10.1.2.0/24
diff --git a/share/ipf/example.14 b/share/ipf/example.14
new file mode 100644
index 00000000000..a7120527a28
--- /dev/null
+++ b/share/ipf/example.14
@@ -0,0 +1,10 @@
+#
+# For a network server, which has two interfaces, 128.1.40.1 (le0) and
+# 128.1.2.1 (le1), we want to block all IP spoofing attacks. le1 is
+# connected to the majority of the network, whilst le0 is connected to a
+# leaf subnet. We're not concerned about filtering individual services.
+#
+pass in quick on le0 from 128.1.40.0/24 to any
+block in quick log on le0 from any to any
+block in quick log on le1 from 128.1.40.0/24 to any
+pass in quick on le1 from any to any
diff --git a/share/ipf/example.2 b/share/ipf/example.2
new file mode 100644
index 00000000000..d3333b37e9f
--- /dev/null
+++ b/share/ipf/example.2
@@ -0,0 +1,4 @@
+#
+# block all outgoing TCO packets on le0 from any host to port 23 of host bar.
+#
+block out on le0 proto tcp from any to bar/32 port != 23
diff --git a/share/ipf/example.3 b/share/ipf/example.3
new file mode 100644
index 00000000000..cd31f73e7c2
--- /dev/null
+++ b/share/ipf/example.3
@@ -0,0 +1,40 @@
+#
+# block all inbound packets.
+#
+block in from any to any
+#
+# pass through packets to and from localhost.
+#
+pass in from 127.0.0.1/32 to 127.0.0.1/32
+#
+# allow a variety of individual hosts to send any type of IP packet to any
+# other host.
+#
+pass in from 10.1.3.1/32 to any
+pass in from 10.1.3.2/32 to any
+pass in from 10.1.3.3/32 to any
+pass in from 10.1.3.4/32 to any
+pass in from 10.1.3.5/32 to any
+pass in from 10.1.0.13/32 to any
+pass in from 10.1.1.1/32 to any
+pass in from 10.1.2.1/32 to any
+#
+#
+# block all outbound packets.
+#
+block out from any to any
+#
+# allow any packets destined for localhost out.
+#
+pass out from any to 127.0.0.1/32
+#
+# allow any host to send any IP packet out to a limited number of hosts.
+#
+pass out from any to 10.1.3.1/32
+pass out from any to 10.1.3.2/32
+pass out from any to 10.1.3.3/32
+pass out from any to 10.1.3.4/32
+pass out from any to 10.1.3.5/32
+pass out from any to 10.1.0.13/32
+pass out from any to 10.1.1.1/32
+pass out from any to 10.1.2.1/32
diff --git a/share/ipf/example.4 b/share/ipf/example.4
new file mode 100644
index 00000000000..23aea7edf96
--- /dev/null
+++ b/share/ipf/example.4
@@ -0,0 +1,4 @@
+#
+# block all ICMP packets.
+#
+block proto icmp from any to any mask any
diff --git a/share/ipf/example.5 b/share/ipf/example.5
new file mode 100644
index 00000000000..6e122e03bc7
--- /dev/null
+++ b/share/ipf/example.5
@@ -0,0 +1,25 @@
+#
+# test ruleset
+#
+# allow packets coming from foo to bar through.
+#
+pass from foo to bar
+#
+# allow any TCP packets from the same subnet as foo is on through to host
+# 10.1.1.2 if they are destined for port 6667.
+#
+pass proto tcp from fubar/24 to 10.1.1.2/32 port = 6667
+#
+# allow in UDP packets which are NOT from port 53 and are destined for
+# localhost
+#
+pass proto udp from fubar port != 53 to localhost
+#
+# block all ICMP unreachables.
+#
+block from any to any icmp unreach
+#
+# allow packets through which have a non-standard IP header length (ie there
+# are IP options such as source-routing present).
+#
+pass from any to any with ipopts
diff --git a/share/ipf/example.6 b/share/ipf/example.6
new file mode 100644
index 00000000000..ac91fea1b25
--- /dev/null
+++ b/share/ipf/example.6
@@ -0,0 +1,5 @@
+#
+# block all TCP packets with only the SYN flag set (this is the first
+# packet sent to establish a connection) out of the SYN-ACK pair.
+#
+block proto tcp from any to any flags S/SA
diff --git a/share/ipf/example.7 b/share/ipf/example.7
new file mode 100644
index 00000000000..062de981193
--- /dev/null
+++ b/share/ipf/example.7
@@ -0,0 +1,12 @@
+# block all ICMP packets.
+#
+block in proto icmp all
+#
+# allow in ICMP echos and echo-replies.
+#
+pass in on le1 proto icmp from any to any icmp-type echo
+pass in on le1 proto icmp from any to any icmp-type echorep
+#
+# block all ICMP destination unreachable packets which are port-unreachables
+#
+block in on le1 proto icmp from any to any icmp-type unreach code 3
diff --git a/share/ipf/example.8 b/share/ipf/example.8
new file mode 100644
index 00000000000..69fa4a2d32a
--- /dev/null
+++ b/share/ipf/example.8
@@ -0,0 +1,10 @@
+#
+# block all incoming TCP connections but send back a TCP-RST for ones to
+# the ident port
+#
+block in proto tcp from any to any flags S/SA
+block return-rst in quick proto tcp from any to any flags S/SA
+#
+# block all inbound UDP packets and send back an ICMP error.
+#
+block return-icmp in proto udp from any to any
diff --git a/share/ipf/example.9 b/share/ipf/example.9
new file mode 100644
index 00000000000..77968f85d2f
--- /dev/null
+++ b/share/ipf/example.9
@@ -0,0 +1,12 @@
+#
+# drop all packets without IP security options
+#
+block in all
+pass in all with opt sec
+#
+# only allow packets in and out on le0 which are top secret
+#
+block out on le1 all
+pass out on le1 all with opt sec-class topsecret
+block in on le1 all
+pass in on le1 all with opt sec-class topsecret